thr3ads.net - CentOS - [CentOS] BIND with ACLs [Dec 2006]

If this information is useful, please help other people find it:
Share via:

Adriano Frare

2006-Dec-12 00:22 UTC

[CentOS] BIND with ACLs

Dear Friends,

I created um DNS server for network Internal and External same SERVER, 
but the control by ACLs in named.conf don't work, when I active ACLs the 
server don't resoluction external domain names.

Please, check NAMED.CONF file.

//
// named.conf for Red Hat caching-nameserver
//

options {
         directory "/var/named/";
         dump-file "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         /*
          * If there is a firewall between you and nameservers you want
          * to talk to, you might need to uncomment the query-source
          * directive below.  Previous versions of BIND always asked
          * questions using port 53, but BIND 8.1 uses an unprivileged
          * port by default.
          */
          // query-source address * port 53;


         allow-query {
                 127.0.0.1/32;
                 192.168.1.0/24;
                 200.245.88.23/32;
                 200.162.222.37/32;};

         allow-transfer { 127.0.0.1/32;
                     192.168.1.0/24;
                     200.162.222.37/32;
                     195.20.105.149/32;
                     193.111.27.194/32;
                     194.145.96.21/32;
                     193.23.158.13;};

         allow-recursion { 127.0.0.1/32;
                     192.168.1.0/24;
                     200.162.222.37/32;};

//        allow-notify { 127.0.0.1/32;
//                    200.245.88.23/32;};

};
// LOG
logging {
    channel query-log {
       file "/var/named/data/query-log" versions 5 size 50m;
    };
    category queries { query-log; };
};

acl internals {
                 192.168.1/24;
                 127/8;
};

//
// a caching only nameserver config
//
controls {
         inet 127.0.0.1 port 953 allow { localhost; } keys { rndckey; };
};

view "external" {
     match-clients { any; };
     recursion no;

zone "conntrust.com" IN {
         type master;
         file "conntrust.com.hosts";
         allow-update {none;};
         allow-query {any;};
         allow-transfer {any;};
};


zone "whitelist.conntrust.com" IN {
         type master;
         file "whitelist.conntrust.com.hosts";
         allow-update {none;};
         allow-query {any;};
         allow-transfer {any;};
};

}; //acl external

view "internal" {
     match-clients { internals; };
     recursion yes;



zone "." IN {
         type hint;
         file "named.ca";
};

zone "localdomain" IN {
         type master;
         file "localdomain.zone";
//      allow-update { none; };
};

zone "localhost" IN {
         type master;
         file "localhost.zone";
//      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
         type master;
         file "named.local";
//      allow-update { none; };
};

zone 
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
IN {
         type master;
         file "named.ip6.local";
//      allow-update { none; };
};

zone "255.in-addr.arpa" IN {
         type master;
         file "named.broadcast";
//      allow-update { none; };
};

zone "0.in-addr.arpa" IN {
         type master;
         file "named.zero";
//      allow-update { none; };
};


     zone "conntrust.com" IN {
         type master;
         file "internal.conntrust.com.hosts";
       allow-update { internals; };

     };


}; // acl internal

include "/etc/rndc.key";


Thanks


Adriano

Robert Spangler

2006-Dec-12 02:36 UTC

head link

[CentOS] BIND with ACLs

On Mon December 11 2006 19:22, Adriano Frare wrote:
>  I created um DNS server for network Internal and External same SERVER,
>  but the control by ACLs in named.conf don't work, when I active ACLs
the
>  server don't resoluction external domain names.
First off are you running a caching server or will it serve a domain?  Then 
you need to clean up your named.conf file to make it easier to follow.  Place 
all the allow-* into the options section.  It doesn't look like you are 
denying anything.  Then delete the items you don't need i.e., if yo are not 
using ipv6 the don't load those zones.  I did not see any reverse zone for 
192.168.1 zone.  Also you do not need to load the local* zones.  This 
information your system gets from the /etc/hosts file.

I am willing to help if I know what you are looking and how you want the 
server to work.


-- 

Regards
Robert

Smile... it increases your face value!

Apparently Analagous Threads

Search for more maybe matching threads

CentOS - Dec 2006 - BIND with ACLs

[CentOS] BIND with ACLs

[CentOS] BIND with ACLs

Apparently Analagous Threads